CVE-2016-0715 Remote Information Disclosure

Severity

Critical

Vendor

Cloud Foundry Foundation

Versions Affected

Cloud Foundry v166 through v227

Cloud Foundry Java Buildpack v2.0 through v3.4

Description

Original mitigation configuration instructions provided as part of CVE-2016-0708 were incomplete and could leave PHP Buildpack, Staticfile Buildpack and potentially other custom Buildpack applications vulnerable to remote information disclosure. Affected applications use automated buildpack detection, serve files directly from the root of the application and have a buildpack that matched after the Java Buildpack in the system buildpack priority when Java Buildpack versions 2.0 through 3.4 were present.

Affected Pivotal Products and Versions

Pivotal Cloud Foundry Elastic Runtime 1.4.0 through 1.4.5

Pivotal Cloud Foundry Elastic Runtime 1.5.0 through 1.5.11

Pivotal Cloud Foundry Elastic Runtime 1.6.0 through 1.6.11

Mitigation

Pivotal customers should follow one of the mitigations below:

Upgrade to Elastic Runtime 1.5.12 and later versions of 1.5.x

Upgrade to Elastic Runtime 1.6.12 and later versions of 1.6.x

Cloud Foundry OSS users are strongly encouraged to follow one of the mitigations below:

Upgrade to Cloud Foundry v228 or later using a configuration option that remediates the issue. The updated configuration option is available on the cf-release v228 github release page and matches any directory in the application container containing the sensitive file [1][2].

Upgrade the Java Buildpack to v3.5.1 [3] or later and restage all applications that use automated buildpack detection.

If only the Java Buildpack mitigation is used, it is required that all applications using automated buildpack detection are re-staged once Java Buildpack 3.5.1 or later to remediate this issue.

If the upgrade to Cloud Foundry v228 or later with the configuration option mitigation is used, running applications will no longer contain the sensitive information. It is still recommended to update the system buildpack to the Java Buildpack v3.5.1 or later ask users to restage all applications that use automated buildpack detection so that sensitive information is not written to disk.

It is possible that sensitive application information may have been disclosed before the remediation, therefore it is recommended that applications using automated buildpack detection rotate credentials including environment variables for bound services, user-provided service instances, and developer provided environment variables. Most Service Brokers provide new credentials to each application using an unbind-service and bind-service sequence of commands.